Gentoo Archives: gentoo-announce

From: Aaron Bauman <bman@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201811-20 ] spice-gtk: Remote code execution
Date: Tue, 27 Nov 2018 02:15:11
Message-Id: 20181127020646.GD19214@monkey
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201811-20
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: spice-gtk: Remote code execution
9 Date: November 27, 2018
10 Bugs: #650878
11 ID: 201811-20
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in spice-gtk could allow an attacker to remotely
19 execute arbitrary code.
20
21 Background
22 ==========
23
24 spice-gtk is a set of GObject and Gtk objects for connecting to Spice
25 servers and a client GUI.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-misc/spice-gtk < 0.34 >= 0.34
34
35 Description
36 ===========
37
38 A vulnerability was found in spice-gtk client due to the incorrect use
39 of integer types and missing overflow checks.
40
41 Impact
42 ======
43
44 An attacker, by enticing the user to join a malicious server, could
45 remotely execute arbitrary code or cause a Denial of Service condition.
46
47 Workaround
48 ==========
49
50 There is no known workaround at this time.
51
52 Resolution
53 ==========
54
55 All spice-gtk users should upgrade to the latest version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=net-misc/spice-gtk-0.34"
59
60 References
61 ==========
62
63 [ 1 ] CVE-2017-12194
64 https://nvd.nist.gov/vuln/detail/CVE-2017-12194
65
66 Availability
67 ============
68
69 This GLSA and any updates to it are available for viewing at
70 the Gentoo Security Website:
71
72 https://security.gentoo.org/glsa/201811-20
73
74 Concerns?
75 =========
76
77 Security is a primary focus of Gentoo Linux and ensuring the
78 confidentiality and security of our users' machines is of utmost
79 importance to us. Any security concerns should be addressed to
80 security@g.o or alternatively, you may file a bug at
81 https://bugs.gentoo.org.
82
83 License
84 =======
85
86 Copyright 2018 Gentoo Foundation, Inc; referenced text
87 belongs to its owner(s).
88
89 The contents of this document are licensed under the
90 Creative Commons - Attribution / Share Alike license.
91
92 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature